LE Cross Signed Intermediate Certificate


#1

Hey,
how does LE cross signed his Intermediate Certificate?

Can you provide a Documentation how to Cross Sign a (Intermediate/ Root) Certificate/ CA?
I have tried to create a Test PKI/ CA but how can i Cross Sign my Intermediate/ Root Certificate Nr. 1 with the Root CA Nr. 2?


#2

You can see the two intermediates “Let’s Encrypt Authority X3 (IdenTrust cross-signed)” and “Let’s Encrypt Authority X3 (Signed by ISRG Root X1)” there:

If I understand correctly, these two intermediate are generated using the same data (same public-private key pair, same name, etc). The only difference is one is signed by “ISRG Root X1” and the other by IdenTrust.

So to answer your question, after your generate your intermediate signed by your “Root Certificate Nr. 1”, to generate the cross signed, you just generate the exact same intermediate, but you sign it using “Root CA Nr. 2” this time.

May I ask why you want to cross signed? It’s done usually when one root is not yet trusted enough, the intermediate is cross signed by another root, which is already trusted by more devices.


#3

It’s for Testing purposes only.

But how do i Sign the CSR with “Root Certificate Nr. 1” and “Root Certificate Nr. 2”?


#4

Most people would probably do this using openssl ca (unfortunately I don’t remember the exact command-line arguments; it can be a slightly complex process).

https://linux.die.net/man/1/ca

Edit: you might need to use openssl req to make a CSR first. You might also need to create some CA-related configuration and policy files. I don’t think it’s a very trivial process!


#5

@schoen regarding ECDSA Root and Intermediates could Let’s Encrypt document how they do it (preferably before doing it) ?


#6

If you want to run your own CA with OpenSSL manually, here is a very good guide I’ve also used successfully: https://jamielinux.com/docs/openssl-certificate-authority/

Cross-signing is just signing an intermediate CSR with another root certificate.


#7

All of the relevant keys are generated and stored only in hardware security modules, not on ordinary server machines, and so I’m doubtful that the instructions would be very useful to people using OpenSSL or storing keys as PEM files on hard drives. Although knowing how to do this can be helpful, you’re not likely to do it the same way that a public CA would unless you have very specialized infrastructure.

Maybe when @jsha is available he could comment on what information about past or future key ceremonies can be made public.


#8

Thank you. Even if it’s not useful for ordinary people, I think it’s important that Let’s Encrypt share as much information as possible:

  • Let’s Encrypt is now a vital part of the internet infrastructure
  • To lower the entry bar if an organisation wants to replicate it’s work.

#9

Bear in mind that Let’s Encrypt also has a reasonable responsibility to keep confidential security information confidential. If another organization wants to replicate their work, I would hope that they’d have the requisite knowledge and aptitude to do it correctly themselves, not rely on an incomplete picture of how another CA does it.


#10

If course, security is important (that’s why we use certificates!) but

  • Security through obscurity doesn’t seams to be in the Let’s Encrypt principles ( https://letsencrypt.org/about/ )
  • The openness of Let’s Encrypt is important because of the key role Let’s Encrypt plays
  • If we want to keep the web open, it’s important that more certificates authority sharing the sames principles of Let’s Encrypt appears. And to encourage that one way it to lower the entry barriers, by making information public as much as possible.

#11

I agree with these points. ICANN publishes all of the materials used for the DNSSEC root signing process (https://www.iana.org/dnssec/ceremonies/32), I would assume ISRG/Let’s Encrypt has similar procedures and materials stored somewhere.

I think if Let’s Encrypt made these public, it would greatly improve the public trust, and silence anyone who says “Let’s Encrypt is not as secure as a commercial CA”. As well as help the community learn about what goes into making a CA.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.